In xmalloc.h, there is no check on the value passed to lsx_valloc, where the value passed further to lsx_malloc may yield integer overflow. When the result overflows, it can trigger heap-buffer-overflow due to allocated memory that is smaller than expected. Attached is a sample of the input file, in this case the heap-buffer-overflow is triggered in remix.c line 237. The command to trigger the bug is --single-threaded <file> -t aiff /dev/null channels 1 rate 16k fade 3 norm. Information about the binary: 32 bit, limited to 800MB memory, under Linux Ubuntu 16.04, compiled with libmad only.</file>
